Two Popup Windows, On A Blog, Is Malware

It's possible that a blog which starts with two popup windows, one followed by a second, represents a blog owner who honestly wants people to enjoy her (his) blog. Even so, a blog that starts out this way is going to present a security analysis challenge, at best.

Seeing the growing popularity of the FaceBook popup (among blog owners, anyway), it's possible that the security scanning processes will, eventually, find a way to bypass the FaceBook code, and continue scanning. This may avoid some spurious malware classifications - if FaceBook developers can find a way to certify a genuine FaceBook popup.
Generic popup windows, on the other hand, need to be dealt with, sternly.

Every IT security consultant, with any experience, has seen the well known advice

That is a generic popup window. In this example, "xxxxxxx" is non existent - the install of "yyyyyyy" is merely the start to installing the "zzzzzzz" botnet member software.

Generic popup windows are suspicious.

Seeing a generic popup window, almost all security scanning processes are going to go into immediate threat detection status. Any blog, hosting a generic popup, should be immediately quarantined - so it can be scanned, through several levels of links, for a malware payload which surely hides somewhere.

A generic popup window, followed by a second popup, is even more suspicious.

Any blog which hosts a generic popup window, followed immediately by a FaceBook "Like my blog!" popup window, must be regarded with even more suspicion. It does not take any amount of paranoia (a mindset normal for all IT security professionals) to imagine a devious malware producer releasing his (her) own bogus FaceBook popup - with a little extra code added.

The generic popup window, preceding a bogus "FaceBook" popup, is then used as a "false flag" device, designed to confuse the security scanning software - so the malware delivered by the bogus FaceBook popup will be ignored.

The two popup windows, one after the other, may conceal malware installation.

Seeing the growing popularity of the FaceBook popup, surely there are malware vendors out there, planning just that technique, to deliver their product - if not already done.

Any blog owner, who adds both popups to her (his) blog needs to expect to receive a locked blog - followed by a locked Blogger account, as a devious / non repentant malware publisher.

Comments

Popular posts from this blog

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.

Some blog owners prefer to save money when registering a custom domain, for their blogs. We've seen several free domain registration services, providing what is claimed to be a two level Top Level Domain "co.xx" (where "xx" == various country codes).

The latest in this ongoing story appears to be "net.tf" - and 13 other "top level domains".There is also an additional free service offering third-level .tf domains, under the name United Names Organisation. They occupy 14 second-level domains, including .eu.tf, .us.tf, .net.tf, and .edu.tf. They are run by the same company as smartdots.com, and are given away as URL redirections.